A flow is the complete source IP/port destination IP/port address.
Netflow is no less secure than regular security lists. It is vulerable
to IP spoofing just like regular lists.
The idea is that once a source IP/port is authorized for a destination
IP/port address, it does not need to be checked each time. If nothing
changes -- the access list and the IP/port addresses -- then why check
I am not sure of the exact mechanics when an access list changes. This
is what I would be worried about. One would hope that all flows
pertaining to that list (and only those flows) would be re-authorized.
gary flynn wrote:
> "With Netflow Switching, only the first packet in a flow follows
> this process. If the first packet in a flow passes through these
> filters, an entry is added to the Netflow Switching cache. Subsequent
> packets in the same flow are then switched based on this cache
> entry, without needing to be matched against the complete set of
> access lists."
> Has anyone analyzed the security implications of this when the
> router is being used in a firewall application? It sounds great
> for performance but off-hand, it also sounds like there is room
> for abuse.
Marc Mosko Email: marc @
"If anyone knocks out another's eye, he shall pay him
sixty-six shillings, six pence, and a third of a penny."
-- Leges Henrici Primi (13th century)
PGP Key available via Public Servers and